Hacker News new | ask | show | jobs
by unodonut 129 days ago
According to the wiki, a one-click exfiltration vulnerability has existed for more than half a year and hasn't been fixed:

> In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. LastPass version 4.146.8 (September 12, 2025), which was intended to address the issue, remains vulnerable

https://en.wikipedia.org/wiki/LastPass#Security_incidents
1 comments
unodonut 129 days ago
Update, with Apple's 'Passwords' app, it appears all someone needs to do to get access to every single stored password, is grab your iPhone while it's unlocked, or sneak it from you while sleeping and use face id to unlock it.

Or, they could shoulder surf to get a 6 digit pin to unlock the phone, then steal it, then they're in.

Seems way less secure than 'Correct Horse Battery Staple'.

link
NoNoisle 129 days ago
Faced is required to unlock the passwords app if you enable stolen device protection
link